Hi Everyone, Well the title pretty much says it all. I am trying to protect my forms against, any possible SQL Injection attacks. However, so-far the only thing I am aware of is to use the .mysql_real_escape_string($Variable)."', Code (markup): Method. ( I don't know what it's really called. ) So, if i use this method to protect the values that, are being inserted in SQL. Is my site/database all safe, or not? Well, if the answer is NO!, then i would love to know more of the same ( In other word ' Simple ' ) Method, to protect against any SQL Injection threats. Thanks in Advance, for Everything.
There is not a simple solution but what you are doing is better than nothing. It is better to also sanitize your variables.
mysql_real_escape_string is pretty good. As long as you are applying it to all data that can be manipulated by a user it should work. Using a 3rd party abstraction layer like PDO and prepared statements is even safer. It pretty much guarantees any database interaction will be sanitary before running a transaction. ORM's like Doctrine and Propel are a good way to access your database safely as an object. They will all add some overhead to a script, but I highly recommend them from a development speed and security perspective.
Looks like you have a good first line of defense: mysql_real_escape_string. It's also good to be as specific as possible in queries (makes them run faster too), like limit 1, and naming specific fields, rather than *.